CVE-2026-41418

Name of the Vulnerable Software and Affected Versions 4ga Boards versions prior to 3.3.5

Description 4ga Boards is a boards system for realtime project management. The software allows user enumeration through a timing side-channel in the login endpoint '/api/access-tokens'. The server responds significantly faster when an invalid username or email is provided compared to when a valid one is used with an incorrect password. This difference occurs because the server executes the bcrypt.compareSync() function only when a valid user is identified, creating a detectable timing gap that can be used to verify the existence of users.

Recommendations Update to version 3.3.5.